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DETAILED ACTION 
Claim Objections 

1. Claim 29 is objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 

As to claim 29, prior art des not teach a first set of packets that includes: a SYN Packet 
with false flag in the TCP option header; a Fragmented UDP packet with malformed header (any 
header inconsistency is sufficient), where the packet is 8K in size; a FIN Packets of a selected 
variable size or a FIN packet without the ACK or SYN flag properly set; and a generic, 
well-formed ICMP ECHO request packet. Prior art does not teach a third set of packets 
includes: a generic well- formed TCP Header set to 1024 bytes in size; a packet requesting an 
ICMP Timestamp; a packet with min/max segment size set to a selected variable value; and a 
UDP packet with the fragment bit set. Prior art does not teach a fifth set of packets includes: a 
TCP Packet with the header and options set incorrectly; a well-formed ICN11P Packet; a 
Fragmented TCP or UDP packet; a packet with an empty TCP window or a window set to zero; a 
generic TCP Packet with 8K of random data; and a SYN Packet with ACK and RST flags set. 
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Claim Rejections - 35 USC §102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who 
has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention 
thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) and the Intellectual Property and High Technology Technical Amendments Act of 2002 
do not apply when the reference is a U.S. patent resulting directly or indirectly from an 
international application filed before November 29, 2000. Therefore, the prior art date of the 
reference is determined under 35 U.S.C. 102(e) prior to the amendment by the AIPA (pre-AIPA 
35 U.S.C. 102(e)). 

2. Claims 1-5, 8-20, 23-28, 30, 33, 34, and 39-43 are rejected under 35 U.S.C 102(e) as 
being anticipated by Gleichauf et al U.S. Patent No. 6,324,656 Bl. 

As to claims 1,13 and 39, Gleichauf et al discloses identifying an operating system of a 
remote host [column 5, lines 27-40]. Gleichauf et al suggests that it includes a version and a 
patch level of the operating system [column 5 3 lines 27-40]. Gleichauf et al suggests identifying 
a service of the remote host including a version and a patch level of the service [column 5, lines 
27-40]. Gleichauf et al discloses identifying a vulnerability of the network based on information 
obtained from the steps of identifying an operating system and identifying a service [column 5, 
lines 41-57]. 
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As to claims 2, 12 and 17, Gleichauf et al discloses that the step of identifying an 
operating system includes sending a first set of packets to the remote host and receiving a second 
set of packets from the remote host in response to the first set of packets [column 5, lines 27-40]. 
Gleichauf et al discloses that the step of identifying a service includes sending a third set of 
packets to the remote host and receiving a fourth set of packets from the remote host in response 
to the third set of packets [column 5, lines 27-40]. Gleichauf et al discloses that the information 
contained in the third set of packets is based on information received in the second set of packets 
[column 5, lines 27-40]. Gleichauf et al discloses that the step of identifying a vulnerability 
includes comparing information contained in the second set of packets and the fourth set of 
packets to preexisting information in a database [column 5, lines 41-57]. 

As to claim 3, Gleichauf et al suggests that the step of identifying an operating system 
includes sending three sets of packets to the remote host and receiving three respective sets of 
responsive packets from the remote host [column 5, lines 27-40]. 

As to claim 4, Gleichauf et al suggests nonintrusively and reliably identifying an 
operating system of a remote host including identifying a version of the operating system 
[column 5, lines 27-40]. Gleichauf et al discloses nonintrusively and reliably identifying a 
service of the remote host including identifying a version of the service [column 5, lines 27-40]. 

As to claim 5, Gleichauf et al discloses identifying a vulnerability of the network [column 
5, lines 27-40]. 

As to claim 8, Gleichauf et al discloses identifying security policy violations on the 
network [column 8, lines 13-25]. 
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As to claim 9, Gleichauf et al discloses the step of identifying an operating system further 
includes identifying a patch level of the operating system [column 5, lines 27-40]. Gleichauf et 
al discloses the step of identifying a service further includes identifying a patch level of the 
service [column 5, lines 27-40]. 

As to claim 10, Gleichauf et al discloses sending a selected packet to the remote host. 
Gleichauf et al discloses receiving from the remote host a reflexive responsive packet [column 4, 
lines 9-19]. 

As to claim 11, Gleichauf et al discloses sending a plurality of selected packets to the 
remote host [column 4, lines 9-19]. Gleichauf et al discloses receiving from the remote host a 
plurality of reflexive responsive packets [column 4, lines 9-19]. 

As to claim 14, Gleichauf et al discloses that the step of identifying a vulnerability 
includes using information obtained from the steps of identifying an operating system and 
identifying a service to identify the vulnerability [column 5, lines 41-57]. 

As to claim 15, Gleichauf et al discloses that the step of identifying an operating system 
further includes identifying a patch level of the operating system, as discussed above. Gleichauf 
et al discloses that the step of identifying a service includes identifying a patch level of the 
service, as discussed above. 

As to claim 16, Gleichauf et al discloses sending a selected packet to the remote host 
[column 4, lines 9-19]. Gleichauf et al discloses receiving from the remote host a reflexive 
responsive packet [column 4, lines 9-19]. 

As to claim 18, Gleichauf et al suggests that the information contained in the third set of 
packets is based on information received in the second set of packets [column 4, lines 9-19]. 
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Gleichauf et al suggests that the information contained in the fifth set of packets is based on 
information received in the fourth set of packets [column 4, lines 9-19]. 

As to claim 19, Gleichauf et al discloses sending a set of selected packets to a host on the 
network [column 4, lines 9-19]. Gleichauf et al discloses receiving from the remote host a set of 
reflexive responsive packets [column 4, lines 9-19]. Gleichauf et al discloses identifying 
conditions of the remote host by using information received in the reflexive responsive packets 
[column 4, lines 9-19]. Gleichauf et al discloses that the conditions include an operating system 
of the host, and a service of the host [column 5, lines 27-40]. 

As to claim 20, Gleichauf et al discloses that the conditions further include a vulnerability 
of the host, as discussed above. 

As to claim 23, Gleichauf et al discloses that identifying an operating system includes 
identifying a version, as discussed above. Gleichauf et al discloses that identifying a service 
includes identifying a version, as discussed above. 

As to claim 24, Gleichauf et al discloses that identifying an operating system includes 
identifying a version and a patch level, as discussed above. Gleichauf et al discloses that 
identifying a service includes identifying a version and a patch level, as discussed above. 

As to claim 25, Gleichauf et al discloses that the step of sending a yet of selected packets 
to a host on the network includes sending a plurality of sets of packets to the host. Gleichauf et 
al discloses that the step of receiving from the remote host a set of reflexive responsive packets 
includes receiving a like plurality of sets of reflexive responsive packets. 

As to claims 26, 40 and 41, Gleichauf et al discloses sending a first set of selected 
packets to a host on the network [column 4, lines 9-19]. Gleichauf et al discloses receiving a 
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second set of packets from the remote host in response to the first set of packets [column 4, lines 
9-19]. Gleichauf et al discloses sending a third set of selected packets to a host on the network 
[column 4, lines 43-55]. Gleichauf et al discloses that the information contained in the third set 
of packets is based on information contained in the second set of packets [column 4, lines 56-67]. 
Gleichauf et al discloses receiving a fourth set of packets from the remote host in response to the 
third set of packets [column 6, lines 26-47]. Gleichauf et al discloses sending a fifth set of 
selected packets to a host on the network [column 6, lines 26-47]. Gleichauf et al discloses that 
the information contained in the fifth set of packets is based on information contained in the 
fourth set of packets [column 6, lines 26-47]. Gleichauf et al discloses receiving a sixth set of 
packets from the remote host in response to the fifth set of packets [column 6, lines 26-47]. 
Gleichauf et al discloses based on information contained in the second, fourth, and sixth set of 
packets, identifying an operating system of a host on the network, including a version and a 
patch level [column 6, lines 48-65]. 

As to claim 27, Gleichauf et al discloses sending a seventh set of selected packets to a 
host on the network [column 6, lines 48-65]. Gleichauf et al discloses receiving an eighth set of 
packets from the remote host in response to the seventh set of packets [column 6, lines 48-65]. 
Gleichauf et al discloses sending a ninth set of selected packets to a host on the network [column 
6, lines 48-65]. Gleichauf et al discloses receiving a tenth set of packets from the remote host in 
response to the ninth set of packets [column 6, lines 48-65]. Gleichauf et al discloses that based 
on information contained in the eight and tenth sets of packets, identifying a service of a host on 
the network, including a version and a patch level [column 6, lines 48-65]. 
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As to claim 28, Gleichauf et al discloses that based on information contained in at least 
the tenth sequence, identifying a vulnerability [column 6, lines 48-65]. 

As to claim 30, Gleichauf et al discloses sending a plurality of packets to a network, as 
discussed above. Gleichauf et al discloses receiving a responsive plurality of packets from the 
network, as discussed above. Gleichauf et al discloses comparing information in the responsive 
packets to information stored in a database [column 6, lines 48-65]. Gleichauf et al discloses that 
based on the comparison, identifying a plurality of network conditions, including a vulnerability 
of the network [column 6, lines 48-65]. 

As to claim 33, Gleichauf et al discloses sending packets to a network, as discussed 
above. Gleichauf et al discloses receiving responsive packets from the network, as discussed 
above. Gleichauf et al discloses comparing information in the responsive packets to information 
stored in a database, as discussed above. Gleichauf et al discloses that based on the comparison, 
inferring an unknown vulnerability [column 7, lines 32-53]. 

As to claim 34, Gleichauf et al discloses sending packets to a network, as discussed 
above. Gleichauf et al discloses receiving responsive packets from the network, as discussed 
above. Gleichauf et al discloses comparing information in the responsive packets to information 
stored in a database, as discussed above. Gleichauf et al discloses that based on the comparison, 
identifying a security policy violation [column 7, lines 32-53]. 

As to claim 42, Gleichauf et al discloses receiving a set of selected packets from remote 
equipment, as discussed above. Gleichauf et al discloses automatically sending a second set of 
packets to the remote equipment, which packets include information that enables the remote 
equipment to identify a vulnerability on the network, as discussed above 
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As to claim 43, Gleichauf et al suggests receiving a first set of packets from remote 
equipment [column 5, lines 1-65]. Gleichauf et al suggests automatically sending a second set of 
packets to the remote equipment [column 5, lines 1-65]. Gleichauf et al suggests receiving a 
third set of packets from the remote equipment [column 5, lines 1-65]. Gleichauf et al suggests 
automatically sending a fourth set of packets to the remote equipment [column 5, lines 1-65], 
Gleichauf et al suggests receiving a fifth set of packets from the remote equipment [column 5, 
lines 1-65]. Gleichauf et al suggests automatically sending a sixth set of packets from the remote 
equipment [column 5, lines 1-65]. Gleichauf et al suggests receiving a seventh set of packets 
from the remote equipment [column 5, lines 1-65]. Gleichauf et al suggests automatically 
sending an eighth set of packets from the remote equipment [column 5, lines 1-65]. Gleichauf et 
al suggests receiving a ninth set of packets from the remote equipment [column 5, lines 1-65]. 
Gleichauf et al suggests automatically sending a tenth set of packets from the remote equipment 
[column 5, lines 1-65]. Gleichauf et al suggests that the second, fourth, and sixth sets of packets 
include information that enables the remote equipment to identify an operating system on the 
network, including a version and a patch level [column 5, lines 1-65]. Gleichauf et al suggests 
that the eighth and tenth sets of packets include information that enables the remote equipment: 
to identify a service, including a version and a patch level [column 5, lines 1-65]. 
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3. Claims 31, 35, 36 and 38 are rejected under 35 U.S.C. 102(e) as being anticipated by Hill 
et al U.S. Patent No. 6,088,804. 

As to claim 31, Hill et al discloses sending packets to a network [column 5, lines 26-45]. 
Hill et al discloses receiving responsive packets from the network [column 5, lines 46-65]. Hill 
et al discloses comparing information in the responsive packets to information stored in a 
database [column 6, lines 9-22]. Hill discloses based on the comparison, identifying a Trojan 
application on the network [column 5, lines 46-65]. 

As to claim 35, Hill et al discloses a database including a set of reflex signatures [column 
5, lines 46-65]. Hill discloses a packet generator [column 6, lines 9-22]. Hill et al discloses a 
comparison unit in communication with the packet generator and the database [column 6, lines 
9-22]. Hill et al discloses that the packet generator is designed to generate and transmit a 
plurality of test packets to the network [column 5, lines 8-15]. Hill et al discloses that the 
comparison unit is designed to receive responsive packets from the network and to compare 
responsive packet information with the reflex signatures [column 5, lines 46-65]. 

As to claim 36, Hill et al discloses that the comparison unit is further designed to identify 
a vulnerability in the network based on its comparison of packet information with reflex 
signatures [column 6, lines 32-60]. 

As to claim 38, Hill et al discloses that the comparison unit is designed to provide 
information to the packet generator, and wherein the packet generator is designed to use the 
information to selectively generate packets [column 5, lines 6-65]. 
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4. Claim 32 is rejected under 35 U.S.C. 102(e) as being anticipated by Diersch et al U.S. 
Patent No. 6,101,606. 

As to claim 32, Diersch et al discloses sending packets to a network [column 5, lines 11- 
65]. Diersch et al discloses receiving responsive packets from the network [column 5, lines 11- 
65]. Diersch et al discloses comparing information in the responsive packets to information 
stored in a database [column 5, lines 11-65]. Diersch et al discloses that based on the 
comparison, identifying unauthorized software use on the network [column 5, lines 11-65]. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 6 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gleichauf et al U.S. Patent No. 6,324,656 Bl as applied to claim 1 above, and further in 
view of Drake U.S. Patent No. 6,006,328. 

As to claims 6 and 22, Gleichauf et al does not teach identifying a Trojan application on 
the host. 

Drake teaches identifying a Trojan application on the host [column 1 line 56 to column 2 

line 2]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Gleichauf et al so that when the operating system 
is being identified that a Trojan application on the host was also identified. 
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It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Gleichauf et al by the teaching of Drake because it 
prevents eavesdropping, prevents disassembly and examination, detects tampering, prevents 
execution-tracing and ensures authenticity [column 5, lines 3-14], 

6. Claims 7 and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gleichauf et al U.S. Patent No. 6,324,656 Bl as applied to claim 1 above, and further in 
view of Hornbuckle U.S. Patent No. 5,388,211. 

As to claims 7 and 21, Gleichauf et al does not teach identifying unauthorized software 
use on the host. 

Hornbuckle teaches identifying unauthorized software use on the host [column 3, lines 6- 

63]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Gleichauf et al so that when the operating system 
is being identified that unauthorized software use was also identified on the host. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Gleichauf et al by the teaching of Hornbuckle because it 
prevents theft, copying, vandalism or modification [column 3, lines 6-15], 
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7. Claim 37 is rejected under 35 U.S.C. 103(a) as being unpatentable over Hill et al U.S. 
Patent No. 6,088,804 as applied to claim 35 above, and further in view of Gleichauf et al 
U.S. Patent No. 6,324,656 Bl. 

As to claim 37, Hill et al does not teach that the comparison unit is further designed to 
identify an operating system type, version, and patch level and a service type, version, and patch 
level of a host on the network. 

Gleichauf et al teaches a comparison unit that is designed to identify an operating system 
type, version, and patch level and a service type, version, and patch level of a host on the 
network, as discussed above. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Hill et al so that the comparison unit would have 
identified an operating system type, version, and patch level and a service type, version, and 
patch level of a host on the network. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Hill et al by the teaching of Gleichauf et al because the 
examiner asserts that certain versions of some operating system are known to have known 
vulnerabilities as well as service types and patch levels. Therefore, it would be necessary to 
check these elements on a host to prevent exploitations on these known vulnerabilities. 
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Conclusion 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K Moorthy whose telephone number is 703-305-1373. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R Sheikh can be reached on 703-305-9648. The fax phone number for the 
organization where this application or proceeding is assigned is 703-746-7239. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-1373. 



Aravind K Moorthy 
December 8, 2003 



